ARP

OBJECTIVES:

 To make a distinction between logical address (IP address) and

physical address (MAC address).
 To describe how the mapping of a logical address to a physical
address can be static or dynamic.
 To show how the address resolution protocol (ARP) is used to
dynamically map a logical address to a physical address.
 To show that the proxy ARP can be used to create a subnetting
effect.
 Types of Addresses in Internet
• Media Access Control (MAC) addresses in the network access layer
▫ Associated w/ network interface card (NIC)
▫ 48 bits
• IP addresses for the network layer
▫ 32 bits for IPv4, and 128 bits for IPv6
▫ E.g., 123.4.56.7
• IP addresses + ports for the transport layer
▫ E.g., 123.4.56.7:80
• Domain names for the application/human layer
▫ E.g., www.google.com
 IP And MAC working together
•IP addresses are chosen by the local system administrator to suit the local network

•Ethernet addresses are built into the interface hardware by the manufacturer

•Thetwo addresses bear absolutely no relationship to one another (as we would expect
from the layering principles)

4
 Why?

•Computers need MAC addresses!

If not – We couldn’t use physical layer to send IP packets: we won't know
where a particular IP packet should physically be sent

5
MAC Address vs. IP Address
 MAC addresses
 Hard-coded in read-only memory when adaptor is built

 Like a social security number

 Flat name space of 48 bits (e.g., 00-0E-9B-6E-49-76)

 Portable, and can stay the same as the host moves

 Used to get packet between interfaces on same network

 IP addresses
 Configured, or learned dynamically

 Like a postal mailing address

 Hierarchical name space of 32 bits (e.g., 12.178.66.9)

 Not portable, and depends on where the host is attached

 Used to get a packet to destination IP subnet

6
 Translation of Addresses

• Translation between IP addresses and MAC addresses

Address Resolution Protocol (ARP) for IPv4
Neighbor Discovery Protocol (NDP) for IPv6

•Translation between IP addresses and domain names (Domain Name System (DNS))
 ADDRESS MAPPING

The delivery of a packet to a host or a router requires two

levels of addressing: logical and physical. We need to be able
to map a logical address to its corresponding physical address
and vice versa. These can be done using either static or
dynamic mapping.
 ADDRESS MAPPING

Anytime a host or a router has an IP datagram to send to another

host or router, it has the logical (IP) address of the receiver. But
the IP datagram must be encapsulated in a frame to be able to
pass through the physical network. This means that the sender
needs the physical address of the receiver. A mapping
corresponds a logical address to a physical address. ARP accepts
a logical address from the IP protocol, maps the address to the
corresponding physical address and pass it to the data link layer.
Position of ARP in TCP/IP protocol suite
ARP packet
 Encapsulation of ARP packet

Type: 0x0806

Preamble Destination Source

Type Data CRC
and SFD address address
8 bytes 6 bytes 6 bytes 2 bytes 4 bytes

Why ARP packets are not encapsulated in IP datagrams ?

Because ARP packets never leave LAN

TCP/IP Protocol Suite 14

The ARP packet is encapsulated within an Ethernet packet.
Note: Type field for Ethernet is x0806
 ARP Packet Format
Ethernet II header

Destination Source Type

address address 0x8060
ARP Request or ARP Reply Padding CRC

6 6 2 28 10 4

Hardware type (2 bytes) Protocol type (2 bytes)

Hardware address Protocol address
Operation code (2 bytes)
length (1 byte) length (1 byte)
Source hardware address*

Source protocol address*

Target hardware address*

Target protocol address*

* Note:
16
The length of the address fields is determined by the corresponding address length fields
An ARP request is broadcast;
an ARP reply is unicast.
 ARP Walkthrough Pt 1
1. ARP broadcasts an ARP Request packet that contains the target IP
address in an Ethernet frame with destination address
ff:ff:ff:ff:ff:ff (and source its own Ethernet address)
2. All hosts on the local network read the frame
3. The target host recognises the request for its IP address
 ARP Walkthrough Pt 2
1. The target sends an ARP Reply packet containing its own Ethernet address
(the other hosts need do nothing)
2. It knows the source's Ethernet address as read from the request packet
3. The source gets the reply and reads out the target's Ethernet address
4. It can now use that Ethernet address to send IP packets
 Example

A host with IP address 130.23.43.20 and physical address

B2:34:55:10:22:10 has a packet to send to another host
with IP address 130.23.43.25 and physical address
A4:6E:F4:59:83:AB (which is unknown to the first host).
The two hosts are on the same Ethernet network. Show the
ARP request and reply packets encapsulated in Ethernet
frames.
46 bytes with padding Broadcast Address
Note that the ARP data field in this case is 28 bytes.
 Figure 7.7 Example 1

TCP/IP Protocol Suite 22

Example

23
 ARP – Address Resolution Protocol

ARP resolves IP addresses to Ethernet (MAC) addresses.

Arp Request

Arp Reply
 ARP Operation

When any host wanted to send traffic to any other host it needs to construct both L2 and L3 headers.

a) if the destination IP is in same subnet, it send arp request which is a broadcast. If there is any
host whose IP is equal to destination IP, it will respond with a arp reply which is unicast. The
source host will have ARP entries in its arp table for all the hosts that are part of same subnet.

b) if the destination IP is in different subnet and default gateway is configured, the arp request
broadcast is not sent, instead it forwards the packet to default gateway ( with source MAC as
outgoing interface MAC and destination as default gateway's MAC) without proxy ARP.
- To know the MAC of default g/w, ARP request is broadcasted to gateway’s IP address, and
router sends ARP reply with it’s MAC address as a unicast.
- By default proxy ARP is not enabled.
- ARP entries will be present only for all hosts in local subnet including default gateway.

c) if the destination IP is in different subnet and default gateway is not configured, the arp request
is broadcasted. If proxy arp is not enabled on router, no arp reply is sent back to host even
though it has a route to destination and communication fails.
If proxy arp is enabled on router and it has a route to the destination, it responds with its
own mac address in the arp reply and communication passes through.
ARP entries will be present for all hosts in local subnet along with gateway and also for
remote hosts which are part of different subnet. For all remote hosts, the MAC address will be
marked as that of default gateway's.
Example: A Sending a Packet to B
How does host A send an IP packet to host B?

R
B

A sends packet to R, and R sends packet to B.

Host A Decides to Send Through R
 Host A constructs an IP packet to send to B
 Source 111.111.111.111, destination 222.222.222.222

 Host A has a gateway router R

 Used to reach destinations outside of 111.111.111.0/24

 Address 111.111.111.110 for R learned via DHCP

R
B
29
Host A Sends Packet Through R
 Host A learns the MAC address of R’s interface
 ARP request: broadcast request for 111.111.111.110

 ARP response: R responds with E6-E9-00-17-BB-4B

 Host A encapsulates the packet and sends to R

R
B
30
R Decides how to Forward Packet
 Router R’s adaptor receives the packet
 R extracts the IP packet from the Ethernet frame

 R sees the IP packet is destined to 222.222.222.222

 Router R consults its forwarding table

 Packet matches 222.222.222.0/24 via other adaptor

R
B
31
R Sends Packet to B
 Router R’s learns the MAC address of host B
 ARP request: broadcast request for 222.222.222.222

 ARP response: B responds with 49-BD-D2-C7-56-2A

 Router R encapsulates the packet and sends to B

R
B
32
An analyzer capture of the ARP Request

Ethernet II, Src: 00:30:65:2c:09:a6, Dst: ff:ff:ff:ff:ff:ff

Destination: ff:ff:ff:ff:ff:ff (Broadcast)
Source: 00:30:65:2c:09:a6 (AcroCom_2c:09:a6)
Type: ARP (0x0806)

Address Resolution Protocol (request)

Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: 00:30:65:2c:09:a6 (AcroCom_2c:09:a6)
Sender IP address: 172.16.1.21 (172.16.1.21)
Target MAC address: 00:00:00:00:00:00 (00:00:00_00:00:00)
Target IP address: 172.16.1.33 (172.16.1.33)
 The Cache Table

• If ARP just resolved an IP address, chances are a few

moments later someone is going to ask to resolve the
same IP address

• When ARP returns a MAC address, it is placed in a

cache. When the next request comes in for the same IP
address, look first in the cache
 Proto
col

ARP Cache
 For every outgoing packet sending ARP request and
waiting for responses is inefficient
 Requires more bandwidth
 Consumes Time
 ARP cache maintained at each node
Cache Table

•Each host maintains a table of IP to MAC addresses

•Message types:
ARP request
ARP reply
ARP announcement

-ARP may also be used as a simple announcement protocol. This is useful for updating other hosts'
mapping of a hardware address when the sender's IP address or MAC address has changed. Such
an announcement, also called a gratuitous ARP message, is usually broadcast as an ARP request
containing the sender's protocol address (SPA) in the target field (TPA=SPA), with the target
hardware address (THA) set to zero. An alternative is to broadcast an ARP reply with the sender's
hardware and protocol addresses (SHA and SPA) duplicated in the target fields (TPA=SPA,
THA=SHA).

An ARP announcement is not intended to solicit a reply; instead it updates any cached entries in
the ARP tables of other hosts that receive the packet.

36
ARP Cache Problems
 Cache space may be limited
 Hosts move or change IP addresses
 Solution?
 Drop (invalidate) cache entries after “a while” (20
minutes is normal)

TCP/IP Protocol Suite 37

 Since sending an ARP request/reply for each IP datagram is
Arp Cache inefficient, hosts maintain a cache (ARP Cache) of current
entries. The entries expire after 20 minutes.

C:\>arp -a

Interface: 192.128.5.2 --- 0x3

Internet Address Physical Address Type
192.128.5.1 00-08-5c-8e-4f-a2 dynamic

Interface: 10.209.240.95 --- 0x10005

Internet Address Physical Address Type
10.209.194.16 00-ff-5b-fa-3e-8a dynamic
10.209.194.27 00-ff-5b-fa-3e-8a dynamic
10.209.194.50 00-ff-5b-fa-3e-8a dynamic
61.246.63.72 00-ff-5b-fa-3e-8a dynamic
61.246.63.80 00-ff-5b-fa-3e-8a dynamic
63.150.131.164 00-ff-5b-fa-3e-8a dynamic
63.150.131.179 00-ff-5b-fa-3e-8a dynamic
66.129.252.125 00-ff-5b-fa-3e-8a dynamic
 Proto
col

39

ARP Command
 To display table
arp –a

 To enter manually (Static Entry)

arp -s 192.168.1.2 00-FE-FE-FE-FE-FE

 To delete entry
arp –d 192.168.1.2
 Reverse ARP (RARP)

I heard
that
What is
broadcast.
my IP
Your IP
addres
address is
s?
172.16.3.2
5.

Ethernet: 0800.0020.1111 IP = ???

Ethernet: 0800.0020.1111
IP: 172.16.3.25
When a diskless computer is booted, it needs more information in addition
to its IP address. It needs to know its subnet mask, the IP address of a
router, and the IP address of a name server. RARP cannot provide this
extra information. New protocols have been developed to provide this
information. BOOTP and DHCP are protocols that can be used instead of
RARP.
 Proxy ARP
 Proxy ARP: Host or router responds to ARP Request that arrives from one of its connected networks for
a host that is on another of its connected networks.
 If default GW is not configured on end hosts, PROXY ARP must be enabled on routers, otherwise ARP
resolution can’t happen on end hosts for remote networks.

Argon Neon
Router137
128.143.137.1/16 128.143.171.21/24
128.143.137.144/16 128.143.71.1/24
00:e0:f9:23:a8:20 00:20:af:03:98:28

128.143.0.0/16 128.143.71.0/24
Subnet Subnet

ARP Request:
What is the MAC address
of 128.143.71.21?

ARP Reply:
The MAC address of
128.143.71.21 is
00:e0:f9:23:a8:20
Things to know about ARP
 What happens if an ARP Request is made for a non-existing host?
Several ARP requests are made with increasing time intervals
between requests. Eventually, ARP gives up.

 On some systems (including Linux) a host periodically sends ARP Requests for all
addresses listed in the ARP cache. This refreshes the ARP cache content, but
also introduces traffic.

 Gratuitous ARP Requests: A host sends an ARP request for its own IP address:
 Useful for detecting if an IP address has already been assigned.

43
Vulnerabilities of ARP
1. Since ARP does not authenticate requests or replies, ARP Requests and Replies
can be forged
2. ARP is stateless: ARP Replies can be sent without a corresponding ARP Request
3. According to the ARP protocol specification, a node receiving an ARP packet
(Request or Reply) must update its local ARP cache with the information in the
source fields, if the receiving node already has an entry for the IP address of the
source in its ARP cache. (This applies for ARP Request packets and for ARP
Reply packets)

Typical exploitation of these vulnerabilities:

 A forged ARP Request or Reply can be used to update the ARP cache of a remote
system with a forged entry (ARP Poisoning)
 This can be used to redirect IP traffic to other hosts

44
ARP Spoofing (ARP Poisoning)
• Send fake or 'spoofed', ARP messages to an Ethernet LAN.
▫ To have other machines associate IP addresses with the attacker’s
MAC
• Defenses
▫ Static ARP table
▫ DHCP snooping (use access control to ensure that hosts only use the IP
addresses assigned to them, and that only authorized DHCP servers
are accessible).
▫ Detection: Arpwatch (sending email when updates occur),
• Legitimate use
▫ Redirect a user to a registration page before allow usage of the network
45